The response to this mail had the following signature:Erik, Google Security TeamNOTE: This message was sent by a human.

:P r0cksthe vulnerability was reported on July 27, and fixed on August 4.

2.- A CSRF+XSS vuln in Google Pages + Google Apps For Your Domain1.- You need to make your victim log in into the attacker GoogleAppsForYourDomain (google pages) account.. to do that is not difficult.. you can make a simple script that submits a form the same way:https://www.google.com/a/ DOMAIN /ServiceLoginit's important to take into consideration, that the attacker will reveal the user and password (of his googleappsforyourdomain account) to the victim.

2.- Once your victim is logged in, you make your victim to go to a "preview" cached version of a page that has a script.. and that's all.

It sounds difficult, but it wasn't, the preview page could be reached with just 1 token that was revealed at signing up proccess.

Well, that one was reported on August 19 and fixed on September 4

Then, the same day, there was another one, now in the edition page.3.- Another XSS+CSRF vuln in Google Pages + Google Apps For Your Domain.In an unpublished page, add this code: iframe src="javascript:alert(123);">< /iframe >

and then when you leave the site the code will be executed, and every time someone enters to that page..(or leaves) this could also be used to attack GoogleApps pages, when there is more than 1 admin.

Well, this one had a PoC, and was pretty cool :P, but it had some usernames and passwords, so if I release it, then the PoC wont last a second.. ¬¬

4.- Data Spoofing at Google Analytics.Well this one is still "live", so I wont get on many details.An attacker can make someone using Google Analytics beleive, that they came from your site (referrer), even if they haven't, they can make them change the URL of the report of activities on certain user, and a lot of cool stuff that are based on this.

6.- Youtube redirection?Is not a vulnerability on youtube, but in some plugins, that abuse it.. here it is.

7.- More cool stuff still about to be patched.yeah, well, there are a few other vulns that will probably get fixed in the following weeks :P

For the guys that have asked me on the past, "why do you do this for free"? well, thats because.. it's like a hobby, I use google a lot, and I am curious.. I have a very cool Google T-Shirt, and well, maybe in the future I can make my name appear over here..